[PCI DSS 3.0] [PCI DSS 3.0] 6.4.5 Change control procedures for the implementation of security patches and software modification

pcinetwork

PCINetwork.org Admin
#1
6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following:

6.4.5.a Examine documented change control procedures related to implementing security patches and software modifications and verify procedures are defined for:
• Documentation of impact
• Documented change approval by authorized parties
• Functionality testing to verify that the change does not adversely impact the security of the system
• Back-out procedures

6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes/security patches. Trace those changes back to related change control documentation. For each change examined, perform the following: (See 6.5.4.#)

If not properly managed, the impact of software updates and security patches might not be fully realized and could have unintended consequences.
 
Top